Haystack
← Back to Jobs
Engineering

Senior Identity & Access Management (IAM) Engineer

Pivotal Technologies IncUnited States🇺🇸United StatesPosted 14 Jul 2026

Quick Overview

Work Type
Hybrid
Level
Mid Senior

Job Description

Senior Identity & Access Management (IAM) Engineer

Role Overview

City of Hope is seeking an elite, highly technical Senior IAM Engineer to architect, secure, and operate our enterprise identity infrastructure [1, 2]. This role is a critical position focused on modernizing our hybrid identity footprint, enforcing zero-trust architecture, and securing privileged access. The ideal candidate possesses deep, hands-on engineering mastery across the Microsoft Entra ID suite, SailPoint Identity Governance, Active Directory, and BeyondTrust PAM [3, 4]. You will be responsible for eliminating identity risk, automating the Joiner-Mover-Leaver (JML) lifecycle, and providing high-confidence identity security across our healthcare and research networks [2].


Core Technical Stack

  • Identity Platforms: Microsoft Entra ID (Azure AD), Active Directory (AD) [3].
  • Identity Governance (IGA): SailPoint [3, 4].
  • Privileged Access Management (PAM): BeyondTrust [4].
  • Protocols & Standards: SAML, OIDC, OAuth 2.0, Kerberos, LDAP, KQL.

Key Responsibilities

Microsoft Entra ID & Hybrid Identity Operations

  • Tenant & Core Identity: Maintain Entra ID tenant architecture, service accounts, directory roles, and emergency break-glass account governance.
  • Hybrid Identity & Synchronization: Manage Entra Connect and Cloud Sync topologies, resolve complex attribute authority matching issues, and monitor global synchronization health.
  • Groups & RBAC: Define enterprise security group standards, engineer dynamic assignment rules, and build scalable Role-Based Access Control (RBAC) and least-privilege authorization models.

🛡 Authentication, Access Control & Application Identity

  • MFA & Passwordless: Design and enforce MFA policies, authentication methods, passwordless configurations (FIDO2, Temporary Access Pass/TAP), and manage exception architectures.
  • Conditional Access (CA): Architect and troubleshoot advanced, risk-based Conditional Access strategies tracking application, network, and device postures.
  • SSO & Application Integration: Own the full lifecycle of application registrations, enterprise apps, OAuth consent workflows, SAML/OIDC configurations, and token claims mapping.

🔐 Privileged & Governance Controls (SailPoint & BeyondTrust)

  • Identity Governance (IGA): Partner to optimize automated SailPoint Joiner-Mover-Leaver (JML) lifecycle workflows, access packages, entitlement management, separation of duties (SoD), and user access reviews.
  • Privileged Access Management (PAM): Architect and configure BeyondTrust and Entra Privileged Identity Management (PIM) to enforce Just-In-Time (JIT) access, admin role approvals, and privileged session auditing.
  • External Identity (B2B): Enforce guest user lifecycle configurations, cross-tenant synchronization, external vendor access reviews, and naming standards.

🚨 Identity Security, Compliance & Incident Response

  • Security Monitoring: Leverage Entra Identity Protection and Microsoft Sentinel integrations to proactively triage identity alerts and anomalies.
  • Compliance & Auditing: Respond to identity-centric incident escalations, gather evidence for regulatory audits, and author Standard Operating Procedures (SOPs).

Required Qualifications

  • Experience: 7+ years of dedicated Identity and Access Management (IAM) engineering experience within an enterprise environment.
  • Platform Mastery: Proven hands-on engineering experience configuring and maintaining Microsoft Entra ID (Azure AD) and on-premises Active Directory [3].
  • Governance Tools: Deep technical experience interacting with SailPoint for identity lifecycle automation and access governance [3, 4].
  • Privileged Infrastructure: Hands-on experience operating BeyondTrust or Entra PIM for privileged credential vaulting and session management [4].
  • Automation: Strong scripting capabilities (PowerShell, Microsoft Graph API) to automate administrative identity tasks.
  • Education: Bachelor’s degree in Computer Science, Information Security, or equivalent professional experience.

Preferred Certifications

  • Microsoft Certified: Identity and Access Administrator Associate (SC-300)
  • Microsoft Certified: Azure Administrator Associate (AZ-104)
  • Certified Information Systems Security Professional (CISSP)
  • SailPoint Certified IdentityNow/IdentityIQ Engineer or BeyondTrust Certified Engineer [4]

Similar jobs